Vulnerabilities > CVE-2000-0490 - Unspecified vulnerability in Netwin Dmail

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
netwin
critical
nessus
exploit available

Summary

Buffer overflow in the NetWin DSMTP 2.7q in the NetWin dmail package allows remote attackers to execute arbitrary commands via a long ETRN request.

Exploit-Db

descriptionNetWin DMail 2.7/2.8 ETRN Buffer Overflow Vulnerability. CVE-2000-0490 . Remote exploit for linux platform
idEDB-ID:19983
last seen2016-02-02
modified2000-06-01
published2000-06-01
reporternoir
sourcehttps://www.exploit-db.com/download/19983/
titleNetWin DMail 2.7/2.8 ETRN Buffer Overflow Vulnerability

Nessus

NASL familySMTP problems
NASL idDMAIL_OVERFLOW.NASL
descriptionThe remote SMTP server is vulnerable to a buffer overflow when the ETRN command is issued arguments which are too long. A remote attacker could exploit this to crash the SMTP server, or possibly execute arbitrary code.
last seen2020-06-01
modified2020-06-02
plugin id10438
published2000-06-07
reporterThis script is Copyright (C) 2000-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10438
titleNetWin DSMTP (Dmail) ETRN Command Overflow
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(10438);
 script_version("1.37");
 script_cvs_date("Date: 2018/11/15 20:50:24");

 script_cve_id("CVE-2000-0490");
 script_bugtraq_id(1297);

 script_name(english:"NetWin DSMTP (Dmail) ETRN Command Overflow");
 script_summary(english:"Checks if the remote mail server is vulnerable to a ETRN overflow");

 script_set_attribute(attribute:"synopsis", value:"The remote SMTP server has a buffer overflow vulnerability.");
 script_set_attribute(attribute:"description", value:
"The remote SMTP server is vulnerable to a buffer overflow when the
ETRN command is issued arguments which are too long. A remote attacker
could exploit this to crash the SMTP server, or possibly execute
arbitrary code.");
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2000/Jun/15");
 script_set_attribute(attribute:"solution", value:
"Upgrade to the latest version of the SMTP server. If you are using
NetWin DSMTP, upgrade to version 2.7r or later.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2000/06/01");
 script_set_attribute(attribute:"plugin_publication_date", value:"2000/06/07");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_MIXED_ATTACK); # mixed
 script_family(english:"SMTP problems");

 script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.");

 script_dependencie("smtpserver_detect.nasl", "sendmail_expn.nasl");
 script_require_keys("Settings/ParanoidReport");
 script_require_ports("Services/smtp", 25);

 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("smtp_func.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = get_service(svc:"smtp", default:25, exit_on_fail: 1);
if (get_kb_item('SMTP/'+port+'/broken')) exit(0);

if(safe_checks())
{
 banner = get_smtp_banner(port:port);

 if(banner)
 {
  if("2.7r" >< banner)exit(0);

  if(egrep(string:banner,
  	  pattern:"^220.*DSMTP ESMTP Server v2\.([0-7]q*|8[a-h]).*"))
	  {
	 security_hole(port:port, extra:'\nNessus only checked the SMTP banner.\n');
 	}
 }
  exit(0);
}


soc = open_sock_tcp(port);
if (! soc) exit(1);

 data = smtp_recv_banner(socket:soc);
 crp = string("HELO example.com\r\n");
 send(socket:soc, data:crp);
 data = recv_line(socket:soc, length:1024);
 crp = string("ETRN ", crap(500), "\r\n");
 send(socket:soc, data:crp);
 send(socket:soc, data:string("QUIT\r\n"));
 close(soc);

 soc2 = open_sock_tcp(port);
 if(!soc2)security_hole(port:port, extra:'\nNessus crashed the SMTP server.\n');
 else close(soc2);